iPad Owners' Security Breached

It's been all over the news. A security breach on AT&T's website has exposed the email addresses of 114,000 iPad 3G users. The list includes politicians, members of the military, and corporate executives. While there are a number of security implications, it is interesting to see how the attackers were able to hack the system and retrieve the data. The original report states that the data was obtained "through a script on AT&T's website, accessible to anyone on the internet." They simply accessed this script and supplied two parameters (an ICC-ID which identifies the SIM card in the iPad as well as an iPad-style User Agent).

This is a good example of inadequate software security controls. The website did not prevent unauthorized access, allowed anyone to access the feature, and allowed arbitrary data to be passed in. Just like a building contractor needs to follow blueprints, building codes, and inspector guidelines, security needs to be baked into the software development life cycle so that these issues can be identified when software is being designed, built, and inspected.